The digital world is in a state of change which opens it up to continued attack from cyber crime hacks and data loss. Enterprises need to be continually vigilant to protect one of their biggest assets, information. Understanding the problem is not difficult, but guarding your data is not quite as easy.
Finding an effective security strategy that works for you is not simply about bolting down all the data floating inside and outside your organisation and putting up ramparts by way of a firewall. It might shock you to know that over the last twelve months one of the biggest escape holes for security breaches was from employees inside the firewall and former employees. So securing applications and hardware is only part of the equation.
Enterprises need to change their mind set. Put information security ahead of infrastructure security. Better safeguard valuable information, without putting in place harsh security policies that are impractical and unreasonable for both employees and partners.
Enterprises have instinctively gone for the ‘pin it all down’ approach. Screening hardware and systems from malware, viruses and other cyber threats. Then protecting applications and data that run on these systems that support everyday operations. On the surface this looks like a workable strategy. Scratch the surface and you will see that protecting the huge amounts of data that enterprises generate on a daily basis is both unnecessary and almost impossible.
The first question to ask yourself is how valuable is all this information? Of course there will be data such as customer records and financial information that you don’t want compromised. But the leaks don’t happen when they are held in secure databases. They happen when it is exported out of its safe environment. In addition, you have raw data floating around that may be valuable when analysed, such as business forecasts and new business proposals. You will find that the intelligence from this data is often not stored on one secure system. Employees are happily sharing it both inside and outside the enterprise, often in an unprotected fashion – whether going about their daily business, unintentionally or maliciously. This is data you have spent time and money protecting from external attacks, only for it to leak out internally. Now you see why protecting information and not just infrastructure is so important.
The firewall, virus and malware applications and encrypted fibre network are all useless in this scenario. It is a bit like fitting a burglar alarm to your home and going out leaving the key in the door!
What can you do to protect information?
Don’t be under the illusion that compliance with legislative and regulatory requirements and internal company security policies will be your saviour. They won’t. Yes, some of these policies are mandatory in business today, but compliance with legislation and policies written to improve security are often not sufficient to address growing cyber threats.
You also need to get your own house in order when it comes to your security policy and ensure it is updated regularly. Over-complicating it and filling it with jargon will leave employees baffled and they won’t put it into practice. It is estimated that around 70% of enterprises that suffer employee related security breaches resulted from poorly understood security policies. So make it simple.
It may surprise you that some enterprises find it difficult to implement one security policy, having countless versions floating around. It makes sense to have a central place for all company policies. Have one security policy there that has an owner and is constantly reviewed and updated. This unified approach will make the system accountable and measurable going forward.
If new business requirements come into play, review your security policy immediately. Don’t leave it until its review date. With the arrival of BYOD, for example, some enterprises have not updated security policies to reflect the use of such devices. By not including this trend in their security policies they are leaving their information highly exposed.
Creating a workable security policy that is adhered to and understood across the enterprise truly goes a long way in creating a robust security program, and should never be skimped on by either time or budget.
As I have stressed throughout this piece – focus on protecting information before infrastructure. With the continued growth in mobile technology, the arrival of wearable technology and the trend for BYOD (Bring Your Own Device) this has never been so important. With information at the epicentre of invasion risk from such challenges as the Advance Persistent Threat, enterprises need to put information at the forefront of their security strategy.
Where sensitive and confidential information is being shared inside and outside the enterprise – the IT department needs to introduce a user interface that is intuitive, highly functional – yet provides the utmost control. With the right tools and secure environment people can continue doing their jobs uninterrupted.
Remember security is ubiquitous. Training on the dangers of carrying and sharing valuable and confidential information will increase awareness of security measures across the enterprise. But also remember that minimising any responsibility for users to change their behaviour is also key in implementing a successful security policy.
Your employees can also provide a high degree of security protection if they receive the right training. And when I say training, I mean training that is easy to comprehend. Employees are never going to wade through a 70 page security policy! So think out of the box. Some companies have adopted a games style interface to security training to ensure employees understand their security policies. Don’t forget, employees are also key in your security defence. Employees need to be able to recognise possible security threats and risky situations and know how to react quickly and who to report to.
IT professionals do understand the importance of a workable security policy and employee training, but all too often they are forced to cut corners when it comes to its development. To effectively protect your enterprise’s information, IT professionals must be given adequate time to create a policy, regularly update it and provide simple and easy to understand guidelines and training to employees. Your mantra should be – make it simple, make it workable.
The biggest mistake enterprises make when it comes to briefing IT professionals on a security policy is going into panic mode and demanding all information be locked down. In fact, leadership should be asking what information actually needs the most protection as the starting point. Initial focus should be on high-risk information which needs defending first. This is the first stake in the ground when it comes to risk-driven security approaches to security and data protection policies in any enterprise.
Yes, external stakeholders can be a risk, but your biggest danger comes from within. Enterprises should look at key areas such as access and privacy controls and imbue security and compliance polices from the inside of the organisation out. If they guard with rigor – your defences will be that much stronger.
By failing to address risks posed by internal employees, you are leaving the door wide open to entirely preventable breaches and data loss. Employees, either intentionally or unintentionally, can actually do more damage to your enterprise than any hacker lurking out there. Ignore at your peril.
Security needs to be transparent and, where possible, accept cultural norms. Aim for logical security guidance within the enterprise that is easy to consume and follow. That way you are on to a win-win situation.
Security providers are now concentrating on effective interface and performance levels in their designs. Enterprises should take time to evaluate and choose the best systems and services that suit their security policies and environment. By linking all the dots an enterprise can be sure that it has done as much as possible to protect one of today’s most valuable assets – information.[su_box title=”Mark Edge, Country Manager UK, Brainloop” style=”noise” box_color=”#336588″]Mark Edge joined Brainloop in September 2014 and brings over 20 years of sales experience in the IT, security and networking industries. In his current role he is responsible for building out Brainloop’s UK team and driving the company’s growth across the region.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.